Criteria for the security of computer systems of the United States Department of Defense (Orange Book), TCSEC
The "Trusted Computer System Evaluation Criteria", informally called the Orange Book, were developed by the US Department of Defense in 1983 to determine the security requirements for hardware, software and special software for computer systems, and to develop an appropriate methodology and technology for analyzing the degree of support for security policy in military computer systems appointments.
In this document, for the first time, such concepts as "security policy", "security core" (TSV), etc. were normatively defined.
The security concepts proposed in this document and the set of functional requirements served as the basis for the formation of all subsequent security standards.
Classification of requirements and criteria of the Orange Book. The Orange Book proposes three categories of security requirements - security policy, audit and correctness, within which six basic security requirements are formulated. The first four requirements are aimed directly at ensuring the security of information, and the last two are aimed at the quality of the security tools themselves. Let's look at these requirements in more detail.
1. Security Policy.
Security Policy The system must maintain a well-defined security policy. The ability of subjects to access objects should be determined based on their identification and a set of access control rules. Where necessary, a regulatory access control policy should be used to effectively implement the differentiation of access to categorized information (information marked with a security label: "secret", "sov. secret", etc.).
Security tags used as access control attributes should be associated with objects.
To implement regulatory access control, the system must provide the ability to assign to each object a label or a set of attributes that determine the degree of confidentiality (security classification) of the object and/or access modes to this object.
2. Audit.
Identification and authentication All subjects must have unique identifiers. Access control should be carried out on the basis of the results of identification of the subject and object of access, confirmation of the authenticity of their identifiers (authentication) and access control rules. The data used for identification and authentication must be protected from unauthorized access, modification and destruction and associated with all active components of the computer system, the functioning of which is critical from the point of view of security.
Registration and accounting In order to determine the degree of responsibility of users for actions in the system, all events occurring in it that are important from a security point of view must be monitored and recorded in a secure protocol. The registration system should analyze the overall flow of events and isolate from it only those events that have an impact on security in order to reduce the volume of the protocol and increase the effectiveness of its analysis. The event protocol must be reliably protected from unauthorized access, modification and destruction.
3. Correctness.
Control of the correct functioning of the protection means The protection means must contain independent hardware and/or software components that ensure the operability of the protection functions. This means that all security tools that ensure security policy, management of attributes and security tags, identification and authentication, registration and accounting must be under the control of tools that verify the correctness of their functioning. The basic principle of correctness control is that the controls must be completely independent of the means of protection.
Continuity of protection. All means of protection (including those implementing this requirement) must be protected from unauthorized interference and/or disconnection, and this protection must be constant and continuous in any mode of operation of the protection system and the computer system as a whole. This requirement applies to the entire life cycle of a computer system. In addition, its implementation is one of the key aspects of formal proof of system security.
These basic security requirements serve as the basis for criteria that form a single scale for evaluating the security of computer systems, defining seven security classes.
Computer system security classes. The Orange Book provides four groups of criteria that correspond to different degrees of protection: from minimal (group D) to formally proven (group A). Each group includes one or more classes.
Groups D and A contain one class each (classes D and A, respectively), group C - classes C1, C2, and group B - Bl, B2, EZ, characterized by different sets of safety requirements. The level of safety increases when moving from group D to group A, and within the group - with increasing class numbers.
Group D. Minimum protection.
Class D. Minimum protection. All systems that do not meet the requirements of other classes belong to this class.
Group C. Discretionary protection.
The group is characterized by arbitrary access control and registration of subjects' actions.
Class C1. Discretionary protection. Systems of this class meet the requirements of ensuring the separation of users and information and include access control and management tools that allow setting restrictions for individual users, which gives them the opportunity to protect their private information from other users. Class C1 is designed for multi-user systems in which joint data processing of the same level of secrecy is carried out.
Class C2. Access control. Systems of this class perform more selective access control than systems of class C1, through the use of means of individual control over user actions, registration, event accounting and resource allocation.
Group B. Mandatory protection.
The main requirements of this group are regulatory access control using security tags, support for the security model and policy, as well as the availability of specifications for the TCb functions. For systems in this group, the interaction monitor should monitor all events in the system.
Class B1. Protection with the use of safety labels. Class B1 systems must meet all the requirements for Class C2 systems and, in addition, must support an informally defined security model, data labeling and regulatory access control.
When exporting from the system, the information must be labeled. The shortcomings discovered during the testing process must be eliminated.
Class B2. Structured protection. In order to comply with Class B2, the TSV of the system must support a formally defined and clearly documented security model providing for arbitrary and regulatory access control, which applies to all subjects in comparison with Class B1 systems. In addition, hidden channels of information leakage must be monitored. The elements that are critical from the point of view of safety should be highlighted in the structure of the TCB. The TSV interface should be clearly defined, and its architecture and implementation should be made taking into account the possibility of conducting test tests. Authentication tools should be strengthened compared to Class B1.
Security management is carried out by the system administrators. Configuration management tools should be provided.
Class B3. Security domains. To comply with this class, the TSV of the system must support an interaction monitor that controls all types of access of subjects to objects, which cannot be bypassed. In addition, the TSV should be structured in order to exclude from it subsystems that are not responsible for the implementation of protection functions, and is compact enough for effective testing and analysis. During the development and implementation of the TSV, it is necessary to use methods and tools aimed at minimizing its complexity.
Audit tools should include mechanisms for notifying the administrator when events occur that are important for system security. It requires the availability of means to restore the system's operability.
Group A. Verified protection.
This group is characterized by the use of formal methods for verifying the correctness of access control mechanisms (arbitrary and normative). Additional documentation is required to demonstrate that the architecture and implementation of the TSV meet the security requirements.
Class A1. Formal verification. Class A1 systems are functionally equivalent to Class VZ systems, and no additional functional requirements are imposed on them. Unlike systems of the VZ class, formal verification methods should be used during development, which allows you to obtain the correct implementation of protection functions with high confidence. The process of proving the adequacy of implementation begins at an early stage of development with the construction of a formal security policy model and high-level specifications. To provide verification methods, Class A1 systems must contain more powerful configuration management tools and a secure distribution procedure.
The highest security class, which requires verification of security measures, is based on proof of compliance of software with its specifications using special techniques, however, this proof (very expensive, time-consuming and practically impracticable for real operating systems) does not confirm the adequacy of the implementation of the security policy.
According to the Orange Book, a secure computer system is a system that supports access control to the information processed in it in such a way that only the relevant authorized users or processes acting on their behalf are able to read, write, create and delete information.
These safety classes have long defined the basic concepts of safety and the course of development of protective equipment.
The obsolescence of a number of provisions. The Orange Book is primarily due to the intensive development of computer technology. It is in order to eliminate the incorrectness of some provisions of the Orange Book that arose in connection with the change in the hardware platform, adapt them to modern conditions and make them adequate to the needs of software developers and users, and a lot of work has been done to develop the provisions of this standard. As a result, a number of documents accompanying the Orange Book have emerged, many of which have become an integral part of it.
A range of specific issues related to the security of computer networks and database management systems is reflected in separate documents published by the National Center for Computer Security of the United States in the form of supplements to the Orange Book.
So, the "Computer System Security Criteria" of the US Department of Defense represents the first attempt to create a unified security standard designed for developers, consumers and computer system certification specialists. At one time, this document was a real breakthrough in the field of information technology security and served as a starting point for numerous research and development. The main distinguishing feature of this document is its focus on military applications, and mainly on operating systems. This predetermined the dominance of requirements aimed at ensuring the secrecy of the processed information and excluding the possibility of its disclosure. Much attention is paid to the labels (secrecy labels) and the rules for exporting classified information.
The Orange Book served as the basis for the developers of all other information security standards and is still used in the United States as a guidance document for the certification of computer information processing systems.